Businesses must make security and privacy concerns known to their governments

Benjamin Ang, Senior Fellow, Centre of Excellence for National Security, RSIS NTU International, says that everyone needs to pay attention to geopolitical developments as they can affect cybersecurity and privacy.

At the BlackBerry World Tour 2019 in Singapore in November 2019 Ang explained that state-sponsored attacks can have an effect on business as they target critical infrastructure including organisations like banks and utilities. Companies which have links to such organisations are also at risk, he explained.

"As long as you have suppliers or customers that are likely to be affected, you are going to be affected," he warned, listing specific countries as being top targets for cybercriminals.

"If you have suppliers or customers in the US, UK, Germany, India, South Korea or China, your customers are at risk, your suppliers are at risk, you are at risk."

Some issues at play include:

- No rules for cyber conflicts that mirror those for global warfare. Ang pointed out that while it is a war crime to target hospitals during war, there are no such penalties online.

- A lack of mobile data if power goes down, as backup generators typically do not serve cell towers. Without data and mobile devices, it is challenging for businesses to run.

- Revenues through cybercrime for national coffers.

- Global hardware supply chains mean that actors from different countries can compromise that chain anywhere.

- Requests from governments around the world to vendors not to implement end-to-end data encryption.

The future, Ang said, may be zero trust architectures, where the network is assumed to be already compromised, so that protection is around resources within the network instead of the network perimeter.

"States have agreed on principles but not yet made rules about attacking civilians and businesses (online). In the physical world you can't bomb a civiilan office or hospital but in the cyberworld you can. There's no rule about keeping the ICT supply chain clean. They can put malware anywhere and it's not against international law," he said.

Similarly, there is no law to punish states which choose not to disclose vulnerabilities, Ang noted.

Ang suggested that businesses join associations or movements that give them a voice, such as the Digital Geneva Convention, proposed by Microsoft, and the Cybersecurity Tech Accord to "send a signal to governments that this is important".

In Asia, ASEAN has agreed to practical cybersecurity norms as far back as 2016, but many governments are still dragging their feet, Ang said. "These should be no-brainers but we have to remind our authorities that yes, when you go out into the international world, these are priorities for business," he said.

Ang suggested that the current priority on fake news may be misplaced. "Businesses are getting attacked and you want to censor fake news?" he asked, stressing that the commercial sector has a responsibility to tell the government that they need to protect businesses.

It is time for institutions, non-governmental organisations and academia to share views on responsible behaviour, Ang said, and have their voices heard during UN meetings. "Get the rules done right to protect us from the risks that are really facing us and help to get a more secure environment for businesses," he said.